Re: git: 77f72c463b90 - 2024Q1 - x11-servers/xwayland-devel: backport recent secfixes

From: Emmanuel Vadot <manu_at_bidouilliste.com>
Date: Fri, 05 Apr 2024 09:38:06 UTC
On Fri, 5 Apr 2024 10:41:11 +0200
Emmanuel Vadot <manu@bidouilliste.com> wrote:

> On Thu, 04 Apr 2024 15:48:55 +0200
> Jan Beich <jbeich@FreeBSD.org> wrote:
> 
> > Emmanuel Vadot <manu@bidouilliste.com> writes:
> > 
> > >> but also introduced a number of regressions that
> > >> don't exist in my port, all of which were documented in my reviews.
> > >
> > >  What regressions ? I'm using xwayland for more than a year on my
> > > desktop instead of -devel and haven't seen a problem.
> > 
> > Try diff xwayland{,-devel}/Makefile:
> > - Missing XSECURITY (ssh -X vs. ssh -Y; xorg-server parity per bug 221984)
> 
>  I admit that I'm a bit lost on this one, I did some test and here is
> what I found :
> 
>  - Using sway and xwayland (so without xcsecurity enabled) I can't ssh
> -X to a xorg host and run applications (DISPLAY is not set), but I can
> ssh -Y fine
>  - If I enable xcsecurity for xwayland behavior is exactly the same
> (i.e. -X doesn't work, -Y does).
>  - I've confirmed that -X works from another xorg host
> 
>  So what I did next was to recompile xorg-server with xcsecurity
> set to false. And to my surprise ssh -X from a xorg host to the one
> with the modified xorg-server still worked.
>  xcsecurity was added in 2018 via PR 221984 which states that it fixes
> -X, and that doesn't seems to be the case, xcsecurity doesn't seems to
> be related to X11 forwarding but something for grouping client so they
> can't access to each other or something (see
> https://www.x.org/wiki/Development/Documentation/Security/#index2h2 for
> more info).
>  xcsecurity is disabled by default in xorg-server upstream (in meson)
> and I think that we should do the same (granted that XACE works
> correctly).
> 
>  The TLDR is that this has nothing to do with X11 forwarding and that I
> think that not enabling this option in xwayland (and in -devel too) is
> a good thing, one of the benefit of wayland is to drop the old X11
> crappy model.
> 
> > - Missing XDMCP (xorg-server parity, maybe used with rootful Xwayland and GUI login managers)
> 
>  I've lost 2 hours looking at xcsecurity so unless you can prove to me
> that this option is good to have enabled (and explained what it does
> exactly) I won't look into it for now.

 bapt@ convinced me that it would be a good thing to have.
 Also we enable it for xephyr so no good reason to not have it in
xwayland. Both gdm and lightdm support xdcmp.

> > - Missing XTEST input emulation (XDG Portal API, required by GNOME, Plasma and maybe rootful Xwayland)
> > - Missing CSD for rootful (mainly for GNOME, optional even if preferred elsewhere)
> 
>  I do agree that both should be enabled, bapt@ started a patch and I've
> asked him to wait so I could have a look at XCSECURITY before.
> 
> > - Broken on DragonFly due to forcing -Dsha1 (already default after I've fixed upstream bug years ago)
> > - Redundant -Dglamor, -Dipv6, -Dxkb_*, libEGL dependency
> 
>  Cheers,
> 
> -- 
> Emmanuel Vadot <manu@bidouilliste.com> <manu@freebsd.org>


-- 
Emmanuel Vadot <manu@bidouilliste.com> <manu@freebsd.org>